Search code examples
javajspstruts2logoutpost-redirect-get

After logout back/reload issue in Struts 2

I have a login page (Index.jsp) , here user put user id and password. On submit LoginAuthentification.java(action class) called and authenticate the user, but according to the result in the action class it returns the JSP.

<action name="login" class="com.struts2.LoginAuthentication"
    method="execute">
    <interceptor-ref name="clear-cache" />
    <result name="manager">/ManagerView.jsp</result>
    <result name="SSE" type="redirectAction">
        <param name="actionName">viewPlan</param>
        <param name="userID">${userID}</param>
    </result>
    <result name="input">/Index.jsp</result>
    <result name="error">/error.jsp</result>
</action>

In this case, it is returning ManagerView.jsp. Now in this JSP, I added a hyperlink for logout, and it is doing below

<action name="logout" class="com.struts2.LoginAuthentication"
    method="logout">
    <interceptor-ref name="clear-cache" />
    <result name="success">/Index.jsp</result>
    <result name="error">/error.jsp</result>
</action>

Code from Action class:

public String logout() {  
    //if (session instanceof org.apache.struts2.dispatcher.SessionMap) {
    session.clear();
    //session.re
    System.out.println("test");
    session.remove("loggedInUser");
   ((org.apache.struts2.dispatcher.SessionMap) session).invalidate();
   
    //}  
    return "success";
}

after logout it is redirected to Index.jsp, now I clicked on back button It display "confirm form resubmission" message in chrome and webpage expired in IE. But when I reload the page it login the old user automatically. I have added

<%                        
  response.setHeader("Cache-control", "no-cache, no-store");           
  response.setHeader("Expires", "0");
  response.setHeader("Vary", "*");
%>

in the JSP as well as in interceptor.

I am trying to block auto login on reload.

Solution

  • The problem is that after logout you are not actually redirect to a new action. The cause of such behavior when you pressed the back button you got a conformation dialog in the browser. The back button is not used to call an action, unless it's not invoked via triggering it using Ajax. You should follow post-redirect-get pattern when doing request for logout.

    <action name="logout" class="com.struts2.LoginAuthentication" method="logout">
    <interceptor-ref name="clear-cache" />
    <result name="success" type="redirect">/</result>
    <result name="error">/error.jsp</result>
</action>